Endpoints-Describe security, compliance, privacy, and trust in Microsoft 365

An endpoint is any device that connects to the network from any location, whether the device belongs to the company, an employee, or a guest user. Zero Trust calls for security policies to be applied and enforced uniformly on endpoints of all types by tools such as Microsoft Intune, regardless of the users’ identities or the devices’ locations. Devices have identities as well, which must be validated during every transaction.

If one of the two main innovations of Microsoft 365 is the use of cloud-based services, the other is the ability of users to access those services using many different types of devices that run on various computing platforms and work at any location with Internet access. As noted earlier, VPN connections have long enabled remote users to access the company network from home or while traveling, using a laptop or desktop. In subsequent years, there were a few mobile devices—nearly always supplied to users by the company—that were able to access a remote network but with limited utility, such as email only. Today, Microsoft 365 enables remote users working with desktops, laptops, tablets, and smartphones to access virtually any enterprise service or resource they could access using an on-premises workstation. However, the trick is to make this access possible while also making it secure.

Therefore, device security in Microsoft 365 must address two relatively new issues:

  • Mobile devices that frequently operate outside of the organization’s protective perimeter
  • The increasing use of BYOD mobile devices that are not selected and owned by the company

Because mobile devices can access any and all sensitive information maintained by the enterprise, there must be some means to protect that information from the threats to which all mobile devices are subject, including loss, theft, and misuse.

Endpoint security

While administrators can still use traditional access-control measures, such as file system permissions, to regulate who can work with the organization’s sensitive data, the Azure Active Directory and Microsoft Intune services are primarily responsible for ensuring that the devices used to access that data are safe. Microsoft 365 supports a large number of mobile computing platforms, including the following:

  • Windows 10/11
  • Android
  • Android enterprise
  • iOS
  • macOS

The interaction between mobile devices and the Microsoft 365 cloud services is complex, as shown in Figure 3-41. However, as you can see in the diagram, Microsoft Intune functions as a clearing house for many of these services and uses Entra ID for authentication and authorization.

FIGURE 3-41 Microsoft Intune service architecture

Even when organizations have a BYOD (Bring Your Own Device) policy for their users’ endpoints, those devices must be subject to some form of enterprise endpoint security. This is the primary function of Microsoft Intune, which is Microsoft 365’s endpoint management tool; administrators use Intune to enroll users’ devices and exercise some degree of management on them. By creating health compliance policies using Intune, enrolled devices can be checked for adherence to those policies before Entra ID authorizes them to access enterprise services and information. This is known as conditional access. Because Entra ID and Intune operate in the cloud, they can control access to the other Microsoft 365 services from any location.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.